RubyGems - standard_id - Versions diffs - 0.3.2 → 0.5.0 - Mend

standard_id 0.3.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0a6bc5ee9c7ea15e8f9ea7bee06f7cb080da52fade31a85bb0d0ead5207552
-  data.tar.gz: 8dffbedfccd7f2434fbf77befe544ebb0c2dc55e4bbbbfb105c11254543e8103
+  metadata.gz: 956fc621df693ec184f7d65482d96c4f25d99ae55274b68681c9c6b892bde095
+  data.tar.gz: 0d5c39a196c8c9e8c99adb24fa61552698672f3df4a5bcf3d06d03b2b61e6a46
 SHA512:
-  metadata.gz: dd96b17327a9468bd2128dea33826450009949e73b6579e36f7c422cd5f9e8aa36a1201de4019e523f79f709539a2cc2e4f8c92dabb15fdef0505488fb3c9cb1
-  data.tar.gz: 74e0c84b638ecb2ab7dbc7f7303617e8b2614fc62f9c8218f33da27136f267f41f6ca676afdff2197395eff5410b538fc186f3c9c9f1c7148cd43bc653b22b57
+  metadata.gz: 584c37aa6aa46abe4a576297d6d754e5632c4b710c59dd1bd2b6f8d7c5c17ac86a8aef109df15fe3de720a7d1be405af31441f833a914b3bc8bfea264b296da5
+  data.tar.gz: 1733a94c80aba6290cc5eabbe7df67f4ff145c5af18e8cb9202cd3d598b5e5569039fc729cdfed3eacfee55908fe36bf4801e706da7c0e8b544666383b7b6863

data/app/controllers/concerns/standard_id/controller_policy.rb ADDED Viewed

@@ -0,0 +1,99 @@
+require "monitor"
+require "set"
+module StandardId
+  module ControllerPolicy
+    extend ActiveSupport::Concern
+    included do
+      class_attribute :_standard_id_auth_policy, instance_writer: false
+    end
+    class_methods do
+      # Declares this controller as public (no host-app auth required).
+      def public_controller
+        self._standard_id_auth_policy = :public
+        ControllerPolicy.register(self, :public)
+      end
+      # Declares this controller as authenticated (requires host-app
+      # authentication but not authorization).
+      def authenticated_controller
+        self._standard_id_auth_policy = :authenticated
+        ControllerPolicy.register(self, :authenticated)
+      end
+      # Auto-register subclasses that inherit a policy declaration.
+      # This ensures controllers like VerifyEmail::ConfirmController
+      # (which inherits from VerifyEmail::BaseController) appear in
+      # the registry and receive AuthorizationBypass skips.
+      def inherited(subclass)
+        super
+        policy = subclass._standard_id_auth_policy
+        ControllerPolicy.register(subclass, policy) if policy
+      end
+    end
+    # Monitor instead of Mutex: registry is called from within synchronized
+    # blocks (e.g. register, public_controllers), so we need reentrant locking.
+    LOCK = Monitor.new
+    private_constant :LOCK
+    class << self
+      def public_controllers
+        LOCK.synchronize { registry[:public].dup }
+      end
+      def authenticated_controllers
+        LOCK.synchronize { registry[:authenticated].dup }
+      end
+      def all_controllers
+        LOCK.synchronize { registry[:public] + registry[:authenticated] }
+      end
+      # Registers a controller under the given policy. Raises if the
+      # controller is already registered under the opposite policy.
+      # Re-registering under the same policy is a safe no-op (Set semantics).
+      def register(controller, policy)
+        LOCK.synchronize do
+          other = policy == :public ? :authenticated : :public
+          if registry[other].include?(controller)
+            raise ArgumentError, "#{controller} is already registered as #{other}"
+          end
+          registry[policy] << controller
+        end
+        # If AuthorizationBypass has already been applied, apply skips to this
+        # newly registered controller immediately. This handles dev-mode lazy
+        # loading where controllers register after the initial apply_skips! call.
+        AuthorizationBypass.apply_to_controller(controller, policy) if AuthorizationBypass.applied?
+      end
+      # Returns a point-in-time copy of the registry, safe to iterate
+      # without holding the lock.
+      def registry_snapshot
+        LOCK.synchronize do
+          (@registry ||= { public: Set.new, authenticated: Set.new })
+            .transform_values(&:dup)
+        end
+      end
+      private
+      def registry
+        LOCK.synchronize { @registry ||= { public: Set.new, authenticated: Set.new } }
+      end
+      public
+      # @api private — intended for test isolation only.
+      def reset_registry!
+        LOCK.synchronize do
+          @registry = { public: Set.new, authenticated: Set.new }
+        end
+      end
+    end
+  end
+end

data/app/controllers/standard_id/api/authorization_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class AuthorizationController < BaseController
+      public_controller
       include ActionController::Cookies
       skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/base_controller.rb CHANGED Viewed

@@ -1,9 +1,11 @@
 module StandardId
   module Api
     class BaseController < ActionController::API
+      include StandardId::ControllerPolicy
       include StandardId::ApiAuthentication
       include StandardId::SetCurrentRequestDetails
+      before_action -> { Current.scope = :api if defined?(::Current) }
       before_action :validate_content_type!
       after_action :set_no_store_headers

data/app/controllers/standard_id/api/oauth/callback/providers_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Api::Oauth
     module Callback
       class ProvidersController < BaseController
+        public_controller
         include StandardId::SocialAuthentication
         skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/oauth/tokens_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Api
     module Oauth
       class TokensController < BaseController
+        public_controller
         skip_before_action :validate_content_type!
         FLOW_STRATEGIES = {

data/app/controllers/standard_id/api/oidc/logout_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Api
     module Oidc
       class LogoutController < ::StandardId::Api::BaseController
+        public_controller
         include ActionController::Cookies
         skip_before_action :validate_content_type!

data/app/controllers/standard_id/api/passwordless_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class PasswordlessController < BaseController
+      public_controller
       include StandardId::PasswordlessStrategy
       def start

data/app/controllers/standard_id/api/userinfo_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Api
     class UserinfoController < BaseController
+      authenticated_controller
       skip_before_action :validate_content_type!
       def show

data/app/controllers/standard_id/api/well_known/jwks_controller.rb CHANGED Viewed

@@ -3,7 +3,13 @@
 module StandardId
   module Api
     module WellKnown
+      # Inherits from ActionController::API (not Api::BaseController) to avoid
+      # content-type validation and no-store cache headers — JWKS is a public,
+      # cacheable endpoint. Includes ControllerPolicy directly as a result.
       class JwksController < ActionController::API
+        include StandardId::ControllerPolicy
+        public_controller
         def show
           jwks = StandardId::JwtService.jwks

data/app/controllers/standard_id/web/account_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class AccountController < BaseController
+      authenticated_controller
       def show
         @account = current_account
         @sessions = current_account.sessions.active.order(created_at: :desc)

data/app/controllers/standard_id/web/auth/callback/providers_controller.rb CHANGED Viewed

@@ -3,6 +3,8 @@ module StandardId
     module Auth
       module Callback
         class ProvidersController < StandardId::Web::BaseController
+          public_controller
           include StandardId::WebAuthentication
           include StandardId::SocialAuthentication
           include StandardId::Web::SocialLoginParams

data/app/controllers/standard_id/web/base_controller.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 module StandardId
   module Web
     class BaseController < ApplicationController
+      include StandardId::ControllerPolicy
       include StandardId::WebAuthentication
       include StandardId::SetCurrentRequestDetails
@@ -9,6 +10,7 @@ module StandardId
       layout -> { StandardId.config.web_layout.presence || "application" }
+      before_action -> { Current.scope = :web if defined?(::Current) }
       before_action :require_browser_session!
     end
   end

data/app/controllers/standard_id/web/login_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class LoginController < BaseController
+      public_controller
       include StandardId::InertiaRendering
       include StandardId::Web::SocialLoginParams
       include StandardId::PasswordlessStrategy

data/app/controllers/standard_id/web/login_verify_controller.rb CHANGED Viewed

@@ -1,10 +1,9 @@
 module StandardId
   module Web
     class LoginVerifyController < BaseController
-      include StandardId::InertiaRendering
-      include StandardId::PasswordlessStrategy
+      public_controller
-      class OtpVerificationFailed < StandardError; end
+      include StandardId::InertiaRendering
       layout "public"
@@ -27,42 +26,21 @@ module StandardId
           return
         end
-        # Record failed attempts outside the main transaction so they persist
-        challenge = find_active_challenge
-        attempts = record_attempt(challenge, code)
-        if challenge.blank? || !ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
-          emit_otp_validation_failed(attempts) if challenge.present?
+        result = StandardId::Passwordless::VerificationService.verify(
+          connection: @otp_data[:connection],
+          username: @otp_data[:username],
+          code: code,
+          request: request
+        )
-          flash.now[:alert] = "Invalid or expired verification code"
+        unless result.success?
+          flash.now[:alert] = result.error
           render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
           return
         end
-        strategy = strategy_for(@otp_data[:connection])
-        begin
-          ActiveRecord::Base.transaction do
-            # Re-fetch with lock inside transaction to prevent concurrent use
-            locked_challenge = StandardId::CodeChallenge.lock.find(challenge.id)
-            raise OtpVerificationFailed unless locked_challenge.active?
-            account = strategy.find_or_create_account(@otp_data[:username])
-            locked_challenge.use!
-            emit_otp_validated(account, locked_challenge)
-            session_manager.sign_in_account(account)
-            emit_authentication_succeeded(account)
-          end
-        rescue OtpVerificationFailed
-          flash.now[:alert] = "Invalid or expired verification code"
-          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
-          return
-        rescue ActiveRecord::RecordInvalid => e
-          flash.now[:alert] = "Unable to complete sign in: #{e.record.errors.full_messages.to_sentence}"
-          render_with_inertia action: :show, props: verify_page_props, status: :unprocessable_content
-          return
-        end
+        session_manager.sign_in_account(result.account)
+        emit_authentication_succeeded(result.account)
         session.delete(:standard_id_otp_payload)
@@ -98,56 +76,6 @@ module StandardId
         end
       end
-      def find_active_challenge
-        StandardId::CodeChallenge.active.find_by(
-          realm: "authentication",
-          channel: @otp_data[:connection],
-          target: @otp_data[:username]
-        )
-      end
-      def record_attempt(challenge, code)
-        return 0 if challenge.blank?
-        return 0 if ActiveSupport::SecurityUtils.secure_compare(challenge.code, code)
-        attempts = (challenge.metadata["attempts"] || 0) + 1
-        challenge.update!(metadata: challenge.metadata.merge("attempts" => attempts))
-        max_attempts = StandardId.config.passwordless.max_attempts
-        challenge.use! if attempts >= max_attempts
-        attempts
-      end
-      def emit_otp_validated(account, challenge)
-        StandardId::Events.publish(
-          StandardId::Events::OTP_VALIDATED,
-          account: account,
-          channel: @otp_data[:connection]
-        )
-        StandardId::Events.publish(
-          StandardId::Events::PASSWORDLESS_CODE_VERIFIED,
-          code_challenge: challenge,
-          account: account,
-          channel: @otp_data[:connection]
-        )
-      end
-      def emit_otp_validation_failed(attempts)
-        StandardId::Events.publish(
-          StandardId::Events::OTP_VALIDATION_FAILED,
-          identifier: @otp_data[:username],
-          channel: @otp_data[:connection],
-          attempts: attempts
-        )
-        StandardId::Events.publish(
-          StandardId::Events::PASSWORDLESS_CODE_FAILED,
-          identifier: @otp_data[:username],
-          channel: @otp_data[:connection],
-          attempts: attempts
-        )
-      end
       def emit_authentication_succeeded(account)
         StandardId::Events.publish(
           StandardId::Events::AUTHENTICATION_SUCCEEDED,

data/app/controllers/standard_id/web/logout_controller.rb CHANGED Viewed

@@ -1,6 +1,13 @@
 module StandardId
   module Web
     class LogoutController < BaseController
+      # Classified as authenticated (not public) because logout requires
+      # host-app authentication. The controller handles unauthenticated
+      # users gracefully via redirect_if_not_authenticated rather than
+      # raising, and skips require_browser_session! to allow session
+      # revocation even with an expired browser session.
+      authenticated_controller
       skip_before_action :require_browser_session!, only: [:create]
       before_action :redirect_if_not_authenticated

data/app/controllers/standard_id/web/reset_password/confirm_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module ResetPassword
       class ConfirmController < BaseController
+        public_controller
         layout "public"
         skip_before_action :require_browser_session!, only: [:show, :update]

data/app/controllers/standard_id/web/reset_password/start_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module ResetPassword
       class StartController < BaseController
+        public_controller
         layout "public"
         skip_before_action :require_browser_session!, only: [:show, :create]

data/app/controllers/standard_id/web/sessions_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class SessionsController < BaseController
+      authenticated_controller
       def index
         @sessions = current_account.sessions.active.order(created_at: :desc)
         @current_session = current_session

data/app/controllers/standard_id/web/signup_controller.rb CHANGED Viewed

@@ -1,6 +1,8 @@
 module StandardId
   module Web
     class SignupController < BaseController
+      public_controller
       include StandardId::InertiaRendering
       layout "public"

data/app/controllers/standard_id/web/verify_email/base_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module VerifyEmail
       class BaseController < StandardId::Web::BaseController
+        public_controller
         skip_before_action :require_browser_session!
       end
     end

data/app/controllers/standard_id/web/verify_phone/base_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ module StandardId
   module Web
     module VerifyPhone
       class BaseController < StandardId::Web::BaseController
+        public_controller
         skip_before_action :require_browser_session!
       end
     end

data/app/models/standard_id/authorization_code.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module StandardId
     before_validation :set_issued_and_expiry, on: :create
-    def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, metadata: {})
+    def self.issue!(plaintext_code:, client_id:, redirect_uri:, scope: nil, audience: nil, account: nil, code_challenge: nil, code_challenge_method: nil, nonce: nil, metadata: {})
       create!(
         account: account,
         code_hash: hash_for(plaintext_code),
@@ -26,6 +26,7 @@ module StandardId
         audience: audience,
         code_challenge: code_challenge,
         code_challenge_method: code_challenge_method,
+        nonce: nonce,
         issued_at: Time.current,
         expires_at: Time.current + default_ttl,
         metadata: metadata || {}

data/lib/standard_id/authorization_bypass.rb ADDED Viewed

@@ -0,0 +1,121 @@
+module StandardId
+  module AuthorizationBypass
+    FRAMEWORK_CALLBACKS = {
+      action_policy: :verify_authorized,
+      pundit: :verify_authorized,
+      cancancan: :check_authorization
+    }.freeze
+    MUTEX = Mutex.new
+    private_constant :MUTEX
+    class << self
+      # Skips the host app's authorization callback on all engine controllers,
+      # and also skips authenticate_account! on public controllers (login,
+      # signup, callbacks, etc.) since those must be accessible without a session.
+      #
+      # In production (eager_load=true), controllers are already loaded when
+      # this runs so the registry is populated. In development (eager_load=false),
+      # controllers are loaded lazily on first request; newly registered
+      # controllers receive skips immediately via apply_to_controller (called
+      # from ControllerPolicy.register). The to_prepare block handles class
+      # reloading — after Zeitwerk unloads/reloads classes, the freshly loaded
+      # controllers re-register and receive skips again.
+      def apply(framework: nil, callback: nil)
+        if framework && callback
+          raise ArgumentError, "Provide framework: or callback:, not both"
+        end
+        register_prepare = false
+        MUTEX.synchronize do
+          # Guard against duplicate to_prepare registrations if called more than
+          # once (e.g. in tests or misconfigured initializers). skip_before_action
+          # is idempotent so duplicates are harmless, but this keeps things tidy.
+          return if @callback_name
+          @callback_name = resolve_callback(framework, callback)
+          # @prepared is intentionally NOT cleared by reset!. This ensures
+          # at most one to_prepare block is registered per process lifetime.
+          # Trade-off: after reset! + apply (e.g. in tests switching
+          # frameworks), the to_prepare code path is not re-registered, so
+          # it can only be verified by the first test that calls apply.
+          register_prepare = !@prepared
+          @prepared = true
+        end
+        apply_skips!
+        # Re-apply after class reloading in development. In dev (eager_load=false),
+        # reset_registry! + apply_skips! is effectively a no-op because the
+        # registry is empty at this point — lazy-loaded controllers haven't
+        # registered yet. The real work for lazy-loaded controllers is done by
+        # apply_to_controller (called from ControllerPolicy.register). This
+        # block is still needed because after a Zeitwerk reload, controllers
+        # re-register and apply_to_controller fires again for each one, but the
+        # reset_registry! here clears stale references to the old class objects
+        # to prevent memory leaks in long dev sessions.
+        return unless register_prepare
+        Rails.application.config.to_prepare do
+          StandardId::ControllerPolicy.reset_registry!
+          StandardId::AuthorizationBypass.apply_skips!
+        end
+      end
+      # Whether apply has been called. Used by ControllerPolicy.register to
+      # decide if newly loaded controllers need immediate skip_before_action.
+      def applied?
+        MUTEX.synchronize { !@callback_name.nil? }
+      end
+      # Apply skips to a single controller. Called by ControllerPolicy.register
+      # when a controller is lazily loaded after apply has already been called.
+      def apply_to_controller(controller, policy)
+        callback = MUTEX.synchronize { @callback_name }
+        return unless callback
+        controller.skip_before_action callback, raise: false
+        if policy == :public
+          # authenticate_account! is defined in WebAuthentication, not on API
+          # controllers. raise: false ensures this is a safe no-op for API
+          # controllers that don't have the callback.
+          controller.skip_before_action :authenticate_account!, raise: false
+        end
+      end
+      # @api private — called internally by apply and the to_prepare block.
+      # Must remain public because it is invoked from a to_prepare lambda
+      # registered in apply, which executes outside this module's scope.
+      def apply_skips!
+        StandardId::ControllerPolicy.registry_snapshot.each do |policy, controllers|
+          controllers.each { |controller| apply_to_controller(controller, policy) }
+        end
+      end
+      # @api private — intended for test isolation only.
+      # NOTE: This clears @callback_name (so applied? returns false and apply
+      # can be called again with a different framework) but intentionally does
+      # NOT clear @prepared, so no additional to_prepare block is registered.
+      def reset!
+        MUTEX.synchronize { @callback_name = nil }
+      end
+      private
+      def resolve_callback(framework, callback)
+        if callback
+          callback.to_sym
+        elsif framework
+          FRAMEWORK_CALLBACKS.fetch(framework.to_sym) do
+            raise ArgumentError, "Unknown framework: #{framework}. " \
+              "Supported: #{FRAMEWORK_CALLBACKS.keys.join(', ')}. " \
+              "Or pass callback: :your_callback_name instead."
+          end
+        else
+          raise ArgumentError, "Provide either framework: or callback:"
+        end
+      end
+    end
+  end
+end

data/lib/standard_id/current_attributes.rb CHANGED Viewed

@@ -3,7 +3,7 @@ module StandardId
     extend ActiveSupport::Concern
     included do
-      attribute :session, :account, :request_id, :ip_address, :user_agent
+      attribute :session, :account, :request_id, :ip_address, :user_agent, :scope
     end
   end
 end

data/lib/standard_id/events.rb CHANGED Viewed

@@ -129,6 +129,7 @@ module StandardId
           enriched[:ip_address] ||= ::Current.ip_address if ::Current.respond_to?(:ip_address) && ::Current.ip_address.present?
           enriched[:user_agent] ||= ::Current.user_agent if ::Current.respond_to?(:user_agent) && ::Current.user_agent.present?
           enriched[:current_account] ||= ::Current.account if ::Current.respond_to?(:account) && ::Current.account.present?
+          enriched[:scope] ||= ::Current.scope if ::Current.respond_to?(:scope) && ::Current.scope.present?
         end
         enriched.merge(payload)